Setting up HTTPS MP SUP SCCM Site Systems for Co-Management

0
HTTPS MP SUP Configurations and Setup IIS

Once you have completed PKI certificates pre-requisites, ready to configure SCCM MP and SUP site systems components to use SSL/HTTPS. HTTPS MP and HTTPS SUP configurations are explained in this post via video tutorial as well as by step by step instructions. All these configurations are explained with SCCM 1802 production version infrastructure.

Content of this post

1. Video Tutorial to Setup HTTPS/SSL MP and SUP Site System Server
2. How to Setup HTTPS MP - How to make MP communication via SSL channel?
    2.1 SCCM CB Console Actions
    2.2 MP Server IIS Console
3. How to Configure Setup Software Update Point (SUP) to use SSL/HTTPS
    3.1 SCCM CB Console Actions
    3.2 MP Server IIS Console
4. Bonus Video - How to Setup PKI for SCCM CB Lab
5. Co-Management Related Posts
6. Resources

Video Tutorial to Setup HTTPS/SSL MP and SUP Site System Server

How to Setup HTTPS MP – How to make MP communication via SSL channel?

There are two parts in the configuration of management point (MP). The First part of configuration should be done from SCCM CB console. The Second part of the configuration should be done from Management Point server IIS console. I have shown these two options in this video tutorial. HTTPS MP is one of the requirements for co-management with SCCM 1802 version.

SCCM CB Console Actions

A management point provides policy and content location information to clients. It also receives configuration data from clients. This section is HTTPS MP configuration from SCCM Cb 1802 console.

1. Open SCCM console –> Administration Work space –> Site Configuration –> Servers and Site System Roles
2. Select the Management Point (MP) server and Right Click on MP Role and Click Properties
3. Select HTTPS from the client connections section under the GENERAL tab of properties windows of MP site system. This will reinstall the MP component.
4. CHOOSE on “Allow Configuration Manager Cloud Management Gateway traffic
Microsoft is constantly improving the designs of Client – CMG – MP communication. Hence, I would recommend reading the latest Microsoft documentation if you are in doubt whether this is the suitable option for you or not.
5. CHOOSE to allow mobile devices and Mac computers to use the management point (when required). Click OK to close the window.

MP Server IIS Console

Login to Management Point (MP) server for IIS configurations. This section explains the HTTPS MP configuration from IIS console side.

1. Make sure you have successfully enrolled web certificate to that MP server. More details in the following video post here.
2. Open Internet Information Services (IIS) Manager. Expand Sites – select your MP web site (usually ‘Default Web Site’) and select Bindings
3. Select the HTTPS entry and Edit
4. Select the new Web cert and click OK and Close
5. Test the HTTPS/SSL connectivity by browsing your MP web site using the FQDN and HTTPS with no certificate errors.

HTTPS MP

How to Configure Setup Software Update Point (SUP) to use SSL/HTTPS

There are two parts in the configuration of Software Update Point (SUP). The First part of configuration should be done from SCCM CB console. The Second part of the configuration should be done from SUP server IIS console.

SCCM CB Console Actions

A software update point(SUP) integrates with WSUS to provide software updates to SCCM clients. For SCCM to use software update point that is not installed on the site server, you must first install WSUS admin console on the site server. My preference would be to use Windows Update for Business for the software update or patching.

1. Open SCCM console –> Administration Work space –> Site Configuration –> Servers and Site System Roles
2. Select the Software Update Point (SUP) server and Right Click on MP Role and Click Properties
3. The ports should already be listed
                      WSUS Configuration details are given below:-
                      Port Number: 8530
                      SSL port Number: 8531
4. Click Require SSL communication to the WSUS server
5. Click Allow Configuration Manager cloud management gateway traffic
6. Choose “Allow Internet and intranet client connections” from Client Connection Type section. This option will automatically get selected when you select “Allow Configuration Manager cloud management gateway traffic”. Click OK to close the window.

HTTPS MP SUP

SUP Server IIS Console

Login to Software Update Point (SUP) server for IIS configurations. This section explains the HTTPS SUP configuration from IIS console side. To configure SSL on the WSUS server by using IIS 7.0

1. On the WSUS server, open Internet Information Services (IIS) Manager.
2. Expand Sites, and then expand the Web site for the WSUS server WSUS Administration.
3. Perform the following steps on the following virtual directories that reside under the WSUS Web site WSUS Administration.

APIRemoting30
ClientWebService
DSSAuthWebService
ServerSyncWebService
SimpleAuthWebService

4. In Features View, double-click SSL Settings.
5. On the SSL Settings page, select the Require SSL checkbox. Ensure that Client certificates are set to Ignore.
6. In the Actions pane, click Apply.
7. Close Internet Information Services (IIS) Manager.
8. Run the following command from <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the SUP site system server>
9. Restart the IIS services or Click ok Recycle button from IIS console

HTTPS MP HTTPS SUP

Bonus Video – How to Setup PKI for SCCM CB Lab

Co-Management Related Posts

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6 (This Post)

Resources:-

For more information, see Enable management point for HTTPS.

https://docs.microsoft.com/en-us/sccm/core/plan-design/network/example-deployment-of-pki-certificates#BKMK_webserver42008

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.